Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork9.7k
[Security] InMemoryUserProvider now concerns whether user's password is changed when refreshing#13627
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
What about keeping the original$user variable and keep the next line identical to what it was before.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Like this?
publicfunctionloadUserByUsername($username){$user =$this->getUser($username);returnnewUser($user->getUsername(),$user->getPassword(),$user->getRoles(),$user->isEnabled(),$user->isAccountNonExpired(),$user->isCredentialsNonExpired(),$user->isAccountNonLocked());}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
@issei-m I think so
…is changed when refreshing
debb422 to729902aCompareissei-m commentedAug 10, 2015
@fabpot@aitboudad Thanks for your reviewing! Now I updated PR and rebased onto 2.3 branch. |
fabpot commentedOct 5, 2015
Thank you@issei-m. |
…s password is changed when refreshing (issei-m)This PR was merged into the 2.3 branch.Discussion----------[Security] InMemoryUserProvider now concerns whether user's password is changed when refreshing| Q | A| ------------- | ---| Bug fix? | yes| New feature? | no| BC breaks? | no| Deprecations? | no| Tests pass? | yes| Fixed tickets | -| License | MIT| Doc PR | -When a user has changed own password, I want to logout any sessions which is authenticated by its user except changer itself.[DaoAuthenticationManager::checkAuthentication()](https://github.com/symfony/symfony/blob/2.3/src/Symfony/Component/Security/Core/Authentication/Provider/DaoAuthenticationProvider.php#L59) method seems to concern about it.But, this situation actually never happens because both users that will be passed to this method are always identical in re-authentication.It's because the token refreshes own user via [ContextListener](https://github.com/symfony/symfony/blob/2.3/src/Symfony/Component/Security/Http/Firewall/ContextListener.php#L90) before re-authentication.Commits-------729902a [Security] InMemoryUserProvider now concerns whether user's password is changed when refreshing
When a user has changed own password, I want to logout any sessions which is authenticated by its user except changer itself.
DaoAuthenticationManager::checkAuthentication() method seems to concern about it.
But, this situation actually never happens because both users that will be passed to this method are always identical in re-authentication.
It's because the token refreshes own user viaContextListener before re-authentication.